Re: [GENERAL] cgi with postgres
| От | Charles Tassell |
|---|---|
| Тема | Re: [GENERAL] cgi with postgres |
| Дата | |
| Msg-id | 4.2.0.58.20000117163358.00a7cce0@mailer.isn.net обсуждение исходный текст |
| Ответ на | Re: [GENERAL] cgi with postgres (Stephane Bortzmeyer <bortzmeyer@pasteur.fr>) |
| Список | pgsql-general |
This really doesn't have anything to do with Postgres, but you guys may want to look into the cgi-wrapper addon that comes with Apache. I haven't used it myself, but from what I understand it does a setuid to the user whose home directory the CGI is in before executing it, thus having the same file access permissions as that user. Then it doesn't matter if other people can run CGI scripts or have shell access, as unless they have the password for the account of the CGI, they can't read it (as long as you aren't an idiot in setting the file permissions.) PHP3 has a similar ability built in that can be turned on via the php3.ini file. The problem with CGI security isn't so much a matter of people getting shell access and playing around, it's more along the lines of writing a CGI that executes a program such as find or cat as the web user, which would enable them to list and display all the CGI's on the system, and their config files. At 12:02 PM 1/17/00, Stephane Bortzmeyer wrote: >On Monday 17 January 2000, at 11 h 18, the keyboard of Jeff MacDonald ><jeff@hub.org> wrote: > > > > My CGIs sources a config file, in mode 700, only readable by 'www' > (the user > > > which executes Apache). > > > > this option works, but not well if the user isn't root. > >Can you elaborate? Of course, it works well and of course, the actual user >is not root. > > > > >************
В списке pgsql-general по дате отправления: